Pangolin is an open-source, identity-aware remote access platform built on WireGuard — combining reverse proxy, VPN, NAT traversal and zero-trust RBAC into one self-hostable app, and the best self-hosted Cloudflare Tunnel alternative in 2026.
Pangolin is an open-source, identity-aware remote access platform built on WireGuard — a single self-hostable app that combines a tunneled reverse proxy, a full VPN, intelligent NAT traversal and zero-trust RBAC in one place. We rate it 83/100 — the cleanest open-source alternative to Cloudflare Tunnels and Tailscale in 2026, provided you are comfortable running a VPS and can live with the userspace WireGuard client being a touch slower than a kernel one.
Pangolin is built by Fossorial, Inc., the team behind the fosrl GitHub org. The first public commits landed in , and the project has since grown to 20.4k+ GitHub stars, 1,000,000+ deployments worldwide and a $4.7M seed round raised in 2025 to take the team full-time. The latest release at the time of writing is v1.17.1, published on .
The pitch is simple. If you self-host anything — a home lab, a handful of internal web apps, an SSH jumpbox, a production database behind NAT — getting tunneled, authenticated access has historically meant wiring together at least three tools: a reverse proxy (Traefik, Caddy), a tunnel provider (Cloudflare Tunnel, Tailscale Funnel, ngrok), and an identity layer (Authelia, Authentik, Keycloak). Pangolin rolls all of that into one app with a clean web UI, automatic TLS, OIDC and built-in RBAC — and lets you keep the whole thing on your own infrastructure under an AGPLv3 license.
Sentiment across r/selfhosted, the GitHub issue tracker and independent blog reviews is overwhelmingly positive. Writers at noted.lol and Mikael's BrainDump highlight that Pangolin "fills a genuine gap" — previously you had to stitch Traefik, Authelia and Cloudflare Tunnel together; Pangolin folds all three jobs into one product with a coherent web UI. DB Tech and Pi My Life Up call the setup "seamless" and the dashboard "intuitive".
The honest complaints are worth knowing. Real-world reviewers on leewc.com note that the userspace WireGuard client is less performant than the kernel driver on Linux (though that is mitigable), and that the resource-creation flow initially reads like it has validation errors because of an unclear UX pattern. Multiple GitHub issues flag rough edges around firewall/DNS setup on fresh installs, and the free self-hosted tier is limited to 3 users / 1 site / 25 GB of bandwidth — enough for a homelab, tight for a small business.
Pangolin has two pricing surfaces: a Pangolin Cloud tier (fully managed) and a self-hosted tier (BYO VPS). Both start free.
| Plan | Price | Key Limits |
|---|---|---|
| Cloud — Basic | $0 forever | Up to 5 users, 5 sites, 5 domains, custom domains, peer-to-peer, no credit card |
| Cloud — Team | $4 / user / month | External IDPs, multi-role RBAC, audit logging, device posture, policy enforcement |
| Cloud — Business | $9 / user / month | Multiple orgs, IDP auto-provisioning, SSH management, device approvals, custom branding |
| Cloud — Enterprise | Custom | SCIM, SIEM streaming, premium relay nodes, priority SLA |
| Self-host — Community | $0 (AGPLv3) | Open source, community support, 3 users / 1 site / 25 GB free |
| Self-host — Starter | $449 / year ($37/mo) | Up to 25 users and sites, all Enterprise features unlocked |
| Self-host — Scale | $1,249 / year ($104/mo) | Up to 50 users, 100 sites, ticket-based support |
For a direct comparison: Tailscale's paid plan starts at $6/user/month, Cloudflare Zero Trust is $7/user/month, and Twingate is $10/user/month — all cloud-only. Pangolin's $4/user/month Cloud Team tier undercuts the category on pricing, and the AGPLv3 self-host path costs $0 forever for any homelabber who can run a VPS.
Best for: Self-hosters, homelabbers, DevOps engineers and small IT teams who want to replace a messy stack of Cloudflare Tunnel + Authelia + Traefik (or Tailscale + nginx + Keycloak) with one coherent app; MSPs who manage distributed client networks and want zero-trust RBAC they can actually self-host; and any organisation that genuinely prefers AGPLv3 on its own infrastructure over renting from Cloudflare or Tailscale.
Not ideal for: Teams that are already deep into Tailscale's ACL model or Cloudflare Zero Trust's global edge — Pangolin runs on your hub, not a 300-POP CDN, so latency for far-flung users depends on where you place your server. Regulated enterprises that need SOC 2 / ISO certifications, SCIM and signed SLAs should plan on the Enterprise tier or the Business Cloud plan rather than the free self-host.
Pros:
Cons:
Cloudflare Tunnel is the closest hosted equivalent — free and globally edge-distributed, but closed source and requires you to live inside Cloudflare's ecosystem. Tailscale is the polished mesh-VPN king with an excellent ACL model, but its free plan tops out at 3 users and the core control plane is proprietary. Self-hosted open-source peers include Headscale (a community Tailscale control plane, VPN only — no reverse proxy), NetBird (similar mesh VPN, partly open source) and traditional stacks like Traefik plus Authelia — which do the job but require glue work Pangolin eliminates.
Yes. For anyone who self-hosts and has ever duct-taped Cloudflare Tunnel + Traefik + Authelia together to expose a web app with login, Pangolin is the single biggest quality-of-life upgrade of 2026. It is not quite a complete Tailscale replacement — Tailscale's ACLs and the global edge still win for some workloads — but as a unified, AGPLv3, identity-aware remote access hub with a clean web UI, nothing else in the open-source world comes close. We rate it 83/100: a few points shy of outstanding because of the userspace-WireGuard performance gap and some UX rough edges. Start on Pangolin Cloud's free Basic plan or docker compose up the Community Edition this afternoon.
docker compose up -d on any Linux VPS, or one-click install from the DigitalOcean marketplace. The Community Edition is AGPLv3 and free, with paid self-host tiers at $449/year (Starter) and $1,249/year (Scale) unlocking Enterprise features.
Hosting & InfrastructureFull-stack cloud platform for deploying applications with automatic scaling, monitoring, and integrated infrastructure
Hosting & InfrastructureOpen-source self-hostable PaaS — deploy 280+ services on your own servers
Hosting & InfrastructureUp to 55x faster Docker builds and GitHub Actions runners, at half the cost
Hosting & InfrastructureHardware-virtualized global cloud — deploy any Dockerfile to 35+ regions with Fly Machines and Sprites
Google Makes Ironwood TPU Generally Available and Splits TPU 8 Into Training and Inference Chips (April 2026)
At Google Cloud Next on April 22, 2026, Google made its seventh-generation Ironwood TPU generally available and previewed an eighth-generation architecture split into a Broadcom-designed training chip (TPU 8t "Sunfish") and a MediaTek-designed inference chip (TPU 8i "Zebrafish"). Anthropic will take up to one million TPU chips as part of the rollout.
Apr 22, 2026
Apple Names John Ternus CEO as Tim Cook Moves to Executive Chairman (April 2026)
Apple on April 20, 2026 announced that hardware chief John Ternus will become chief executive officer on September 1, 2026, with Tim Cook moving to executive chairman after nearly 15 years leading the company — the most consequential tech CEO handover of the decade.
Apr 22, 2026
Kubernetes 1.36 Released: HPA Scale-to-Zero, User Namespaces and OCI Volumes Go Stable (April 2026)
The Kubernetes community shipped v1.36 on April 22, 2026, with 80 enhancements including HPA scale-to-zero enabled by default, stable user namespaces and OCI volumes, the retirement of Ingress-NGINX, and the removal of the gitRepo volume plugin.
Apr 22, 2026
Is this product worth it?
Built With
Compare with other tools
Open Comparison Tool →